blob: 8ac5c1baf3513ee6b5770296772c4d6068371f03 (
plain)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
|
* Status: [[!taglink closed]] <!-- Choose one: open, closed -->
* Assigned to: [[!taglink jblake]] <!-- Choose one or more: jrayhawk, jblake -->
* Priority: [[!taglink now]] <!-- Choose one: now, soon, later -->
* Opened by: jrayhawk
### Discussion
In order for CGIs to work with the current paradigm, we'd need some mechanism
for Apache to execute the various pinyadmin scripts as the involved user. We can
either do this using sudo, which would require a lot of overhead in making and
maintaining sudoers rules, or using an suid binary that does exactly what we
need.
Requirements:
* executable only by www-data
* takes as arguments
* username
* pinyadmin command
* pinyadmin command arguments
* exits if username's uid < 1000
* exits if username violates piny username constraints (specifically git- and
ikiwiki- are not allowed)
* executes with the appropriate uid/gid the specified pinyadmin command and the
specified arguments
Obviously any input on this concept is desirable.
#### jrayhawk 20110121
This appears to be done.
|
